The Computer Fraud and Abuse Act is under the microscope again following a stiff sentence for Andrew Auernheimer, who will spend just over three years in prison for taking personal data from a publicly accessible website and giving it to a popular blog.

A digital rights group, while admitting that Auernheimer's behavior during trial didn't help, says the CFAA -- used by law enforcement in two other recent cases -- is too vague.

Weev, who was defended pro bono by New York City law firm Tor Ekeland, P.C., was charged under the Computer Fraud and Abuse Act (CFAA), which has been criticized for being too far-reaching and susceptible to abuse.

A fund has been set up to fight the CFAA and to assist in Weev's appeal.

Even though Weev may have been an unsympathetic defendant,

> "we live in a country where it's
> not a crime to be a jerk,"

Fakhoury noted.

The best-known case prosecuted under the CFAA was that of Reddit co-founder Aaron Swartz, who committed suicide after being indicted.

Last week, journalist Matthew Keys was indicted under the CFAA for allegedly helping members of the hacker collective Anonymous break into the network of the Tribune Company, his former employer.

US hacker Andrew Auernheimer given three-year jail term for AT&T breach

Karen McVeigh
Monday 18 March 2013 17.09 EDT

(excerpts)

Auernheimer's prosecution, under the Computer Fraud and Abuse Act, was being closely watched by critics of the US government's harsh line on hackers.

His sentence on Monday comes after a massive outcry following the suicide of free information activist Aaron Swartz in January.

Swartz's was facing multiple charges and a prosecution that his supporters said was excessive.

Hanni Fakhouri, a staff attorney with the EFF, said:

> "It's excessive to say the least. The prosecution
> was excessive because he did not hack into anything.
> He obtained information from a public information
> website. It would be like me going into the Guardian
> website and copying information and emailing it to
> someone else."

Fakhouri said the law was misinterpreted and said:

> "We hope on appeal to get the sentence thrown out.

US attorney Paul Fishman described Auenheimer's reasoning that he was trying to expose security flaws in AT&T's website as a "fiction." Fishman said in a statement:

> "Andrew Auernheimer knew he was breaking the
> law when he and his partner hacked into AT&T's
> servers and stole personal information from
> unsuspecting iPad users.

> "When it became clear that he was in trouble,
> he concocted the fiction that he was trying to
> make the internet more secure, and that all he
> did was walk in through an unlocked door.

> The jury didn't buy it, and neither did the
> court in imposing sentence upon him today."

David Velazquex, the FBI acting special agent in charge of the investigation, said Auernheimer's "self-serving cyber attack" was carried out to promote his business.

He said his conviction and sentence signified the

> "continued and growing efforts of the US attorney's
> office and the FBI in investigating and prosecuting
> computer hacking and intellectual property crimes."

Auernheimer's co-defendant, Daniel Spitler, 27, of
San Francisco, California, previously pleaded guilty
to the same charges and is awaiting sentencing.

Reader's Comment:

From: Sophlady
Date: 19 March 2013 1:23am

'Weev' (Andrew Auernheimer) and his associates discussed selling the list, as proven by transcripts of their conversations entered into evidence.

His codefendant, Daniel Spitler, testified against him, admitting they intended self-enrichment from the scheme.

Weev, a bat xxxx crazy, drug addicted racist and anti-Semite who has harassed people online for years, is guilty as sin.

The people writing articles defending him misrepresent what happened, mainly by omitting the fact that only the people who owned those accounts had legitimate access to them.

Any time a person uses unauthorized access to log into a server or computer he is violating the statute.

I was involved in a case in which the former security chief of a corporation, trying to be rehired by proving his expertise, broke into his former employer's servers. He was, rightly, convicted under the statute.

If you do the crime....

As for Auernheimer being restrained in court after handling his smart phone, a cell phone can be used to set off explosives. The court was right not to let him manipulate his.

It is a wonderful irony that the judge who heard the case and sentenced Weev is African-American. I am sure it taxed his self-control not to call her the n-word.

All-in-all, good riddance (for three years) to bad rubbish.

I've reposted part of this comment from elsewhere because threads for articles like this invariably fill with false information.

People need to know what what really happened.

There is no question 'Weev' guilty as charged. He will get nowhere with an appeal because what he did is exactly what the law forbids.

Mr. Auernheimer was arrested shortly after the incident on drug-related charges in Arkansas by FBI agents.

The Federal agents found cocaine, ecstacy, LSD, and schedule 2 and 3 pharmaceuticals during a warrant-based search of his home.

In early 2011, Mr. Auernheimer and Mr. Spitler were hit with Federal charges for fraud and conspiracy to access a computer without authorization, sending them down the path that eventually led to Monday's sentencing. Mr. Spitler pled guilty in 2011.

While there doesn't seem to be any doubt that the men were involved in the incident, whether or not they actually hacked AT&T's computers, or gained access without authorization, could be seen as something of a grey area.

The script they accessed was openly available and routinely used to help link iPads to their owner's accounts. They way the men used the script, however, fell outside of its intended scope since it was never meant to be a tool for gathering user names and email addresses en mass.

The two never accessed private servers in the incident, and in the sense that most people mean "hack," never hacked into the AT&T computers.

Instead of breaking into AT&T's servers, they wrote code that randomly generated SIM card numbers and presented those to the public server. If the card number matched AT&T's database, the server returned the matching user name and email address.

Mr. Auernheimer said he felt his prosecution was politically motivated, and told The Verge,

> I hope they give me the maximum,
> so people will rise up and storm
> the decks.

There were questions as to what constitutes unauthorized access, meaning did the use of PHP to request user information qualify, or did the men need to work their way into servers that weren't open to the public.

The trial pushed journalist Tim Pool to comment on Twitter,

> "I felt like I was watching a witch trial
> as prosecutors admitted they didn't understand
> computers."

Mr. Auernheimer has already been remanded into custody to start serving his sentence, and he plans to appeal the ruling. Before his sentencing hearing, he told people outside the courthouse,

> "I'm going to jail for doing arithmatic."

While Mr. Auernheimer's statement is technically true, it's all about how he used arithmatic. He did build a list of customer names and email addresses that AT&T never intended to be public, and he used hand-rolled PHP code to help get as much as he could from the servers.

Whether or not the punishment is fitting for the crime, however, is what's up for debate now. The prosecution no doubt feels the sentecing is approriate, while Mr. Auernheimer thinks he's a scapegoat.

With his plan to appeal, Mr. Auernheimer will likely stay in the public eye while the courts decide if what he did really does warrant a sentence that spans more than six years.

In a jury verdict and sentence that might have repercussions for all those hactivists out there, Andrew Auernheimer has been sentenced to three years and five months for stealing personal data about 120,000 iPad users.

Auernheimer's defense was that he was trying to make the Internet more secure by walking through an unlocked door at AT&T.

The jury didn't agree.

Aeurnheimer was indicted with co-defendant Daniel Spitler and Goatse Security. They used an "account slurper" to match e-mail addresses with identifiers for iPad users, and then used a "brute force" attack to get information about the users from the AT&T servers.

The information was then provided to the Gawker.com, which published an article about the people whose information was hacked.

Spitler pleaded guilty in June, 2011, and is still awaiting sentencing.

This verdict is probably just a beginning.

It could take a few more before the message gets through that people are no longer impressed with the idea that hacktists are overflowing with altruism.

But the Reuters social media producer will face decades in jail under the same law used against Swartz if convicted of helping Anonymous hack the Los Angeles Times Web site in late 2010  a parallel that has Keys's lawyers and some commentators grouping the two as twin victims of America's mangled computer crime laws.

Their cases may look the same, but they involve entirely different sections of a controversial cyber crime law.

Keys was recently charged with different computer crimes under the same law.

Prosecutors allege the 26-year-old journalist, who has been suspended from Reuters with pay, helped Anonymous deface the Los Angeles Times Web site by giving log-in credentials to a hacker in an Anonymous chatroom, shortly after Keys was fired by the company that owns the Times.

But legal experts caution that the cases are different, despite their apparent parallels.

And bloggers like Jason Gooljar are finding out exactly how controversial it is to call Keys "the next Aaron Swartz"  Gooljar quickly updated a post with that title after Redditors slammed the comparison as an "insult" to Swartz's memory.

> "Aaron Swartz and Matthew Keys are very different,"

said Orin Kerr, a law professor at George Washington University and a respected expert on cyber crime.

> "They were charged under completely different
> parts of the law."

The law in question is the Computer Fraud and Abuse Act, the much-maligned, much-amended 1984 computer crime law that governs many government and commercial cases. The CFAA has not gotten much love from legal experts in the past few years: it's "outrageous," "bullying" and "shockingly vague," depending on whom you ask, and its sweeping terms have been used to charge people for crimes ranging from hacking a Playstation 3 so it could run third-party programs to downloading the client database of an ex-employer.

But while it's easy to see the CFAA as one monolithic relic, Kerr says, the law actually has several parts, and Keys was charged under the least controversial one.

That's because the CFAA's biggest problem lies in its use of the phrase "unauthorized access"  a vague, only loosely defined term that has left prosecutors and courts to their own interpretations.

Keys's part of the law doesn't mention that term.
Swartz's does.

Aside from the difference in their alleged crimes, there's also a split in apparent motives.

As many of Swartz's defenders have pointed out on social media, Swartz was a documented Internet activist who fought publicly for freedom of information.

On the other hand, in chat room transcripts released by the Department of Justice, the user alleged to be Keys urges an Anonymous hacker to "go f--- some s--- up."

That isn't just a public-relations issue: motives can factor into sentencing, too, Kerr says.

--------------------------------
--------------------------------

Ned Netterville

Robert, Voluntaryists would do away with the silly, statist concept of intellectual property, which would, of course, exonerate Aaron Schwarz. Lots of

Message 6 of 11
, Mar 21, 2013

Robert, Voluntaryists would do away with the silly, statist concept of "intellectual property," which would, of course, exonerate Aaron Schwarz. Lots of literature on the wisdom of this position at mises.org
r enemies; it befuddles 'em!--Ned Netterville

rlbaty50

... Similarly, if we would only repeal laws against..., we could eliminate prison over-crowding and exonerate rapists, bank robbers, Bernie Madoff, Charles

Ned, It would not seem to me to be productive to quibble with you about real crimes and victim/victimless crimes . You spoke of exoneration, and that was

Message 9 of 11
, Mar 21, 2013

Ned,

It would not seem to me to be productive to quibble with you about "real crimes" and "victim/victimless crimes".

You spoke of exoneration, and that was the subject I addressed.

I think my logic was impeccable, valid and sound.

That is, criminals of all stripes can be exonerated if the laws which they transgress are repealed, retroactively.

Ned, are you now proposing that some Government is appropriate, some laws justified and subject to enforcement by "the long arm of the law/Government", and maybe even some taxes levied to pay for the operations thereof?

Robert, OK, I see. I should read more carefully. You are right! (Add a Ned notch.) But the analogy was onerous because of the Grand-Canyon size distinction

Message 10 of 11
, Mar 21, 2013

Robert, OK, I see. I should read more carefully. You are right! (Add a Ned notch.) But the analogy was onerous because of the Grand-Canyon size distinction between actions that harm people and victimless crimes.

It would not seem to me to be productive to quibble with you about "real crimes" and "victim/victimless crimes".

You spoke of exoneration, and that was the subject I addressed.

I think my logic was impeccable, valid and sound.

That is, criminals of all stripes can be exonerated if the laws which they transgress are repealed, retroactively.

Ned, are you now proposing that some Government is appropriate, some laws justified and subject to enforcement by "the long arm of the law/Government", and maybe even some taxes levied to pay for the operations thereof?